1.Summary
This is a trojan detection. Unlike viruses, trojans do not
self-replicate. They are spread manually, often under the
premise that they are beneficial or wanted. The most common
installation methods involve system or security exploitation,
and unsuspecting users manually executing unknown programs.
Distribution channels include email, malicious or hacked web
pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
2.Aliases
3.Characteristics
Erazer Lite is
a Remote Access Trojan consisting of a server component, client
component and a server editor component.
The characteristics of this Trojan with regards to the file
names, port number used, etc will differ, depending on the way
in which the attacker had configured it. Hence, this is a
general description.
A.Server Component:
When the server component is executed, the Trojan drops
itself to:
The following registry entry is created, so it can run at
system startup:
Once running,
the server component connects to a pre-defined IP address on a
pre-defined port, waiting for commands from the attacker
Note: %System% is a variable location and refers
to the windows system directory.
B.Client Component:
The client component runs on the attacker抯 computer, and
connects to the server component on the victim抯 machine
remotely.
The following are a list of some of the functions that are
available to the attacker:
- Process Manager (List, kill running processes)
- File
Manager (List, upload, download, delete)
- Registry
Manager (Browse Registry, add, edit, delete keys)
- Windows
Manager (Browse, close, maximize/minimize, rename)
- Get
system information
- Extract
passwords from machine
- Key
logger
-
Read/Modify contents of the clipboard
- Screen
capture
- Pranks
played on the victim (Hiding desktop icons, start button,
taskbar, opening and closing CD-Rom)
- Desktop
logoff, reboot or shutdown
-
FTP-server, Telnet-Server
- Format
drives
C.Miscellaneous Information:
- This Trojan is written in
Delphi
- The
author抯 intended name for the Trojan is 揈razer Lite
4. Detects Trojan
The communication
between client and server of Trojan is usually with TCP, UDP and
ICMP protocol. Sax2 from Ax3soft is based on the analysis of
protocol and can accurate tracking
network connecting conversation and reorganize the TCP / IP data
of the communication. When it detect that your network in the
risk of Trojans, it will immediately suspended or interference
with communications of Trojan to protect your network from
attack. Why not
have a try? Sax2 will immediately upgrade it’s Security
Strategy Knowledge Base after finished installation. Below will
introduce how to use Sax2 to detect whether your system has
infected of the Trojan - Erazer Lite.
First of all, launch and
run Sax2, switch to "EVENTS" pages. If there is Erazer
Lite
communication in your network, Sax2 will immediately report and
interrupt Trojan communications. See the picture:
|
